What to Know
- 30,766 ETH worth roughly $71.5 million was frozen on Arbitrum One and is no longer accessible to the attacker’s wallet
- The funds are linked to the $292 million KelpDAO exploit on April 18, which drained 116,500 rsETH tokens
- LayerZero attributed the attack to North Korea’s Lazarus Group after two compromised RPC nodes were used to push a poisoned message
The Arbitrum Security Council just did the thing decentralization maximalists swore would never happen on a real rollup. On Tuesday, the elected signers froze 30,766 ETH worth about $71.5 million sitting on Arbitrum One, funds they say trace back to last week’s $292 million KelpDAO exploit. The council moved the balance into an intermediary wallet that only a governance vote can touch, invoking its emergency powers after, as it put it, law enforcement handed over intelligence on the attacker’s identity.
What the Arbitrum Security Council Actually Did
Here is the short version. An address holding 30,766 ETH connected to the KelpDAO attacker sat on Arbitrum One. The Arbitrum Security Council, a body of elected signers with emergency powers over the layer-2 network, voted to freeze the balance and shift it into a holding wallet. From that wallet the funds cannot move again without a fresh coordinated action through Arbitrum governance.
In plain English: the attacker woke up Tuesday with $71.5 million on Arbitrum and went to sleep with none. The money has not been returned to KelpDAO or to victims yet. It is parked. Where it ends up depends on a governance process the council said will be coordinated with, in its wording, the relevant parties.
The council framed the move as an emergency action rather than a discretionary one. It said it acted on input from law enforcement about who controlled the wallet. It did not name the agency and did not name the alleged attacker.
The funds are no longer accessible to the address that originally held the funds, and can only be moved by further action by Arbitrum governance, which will be coordinated with relevant parties.
How Did the $292M KelpDAO Exploit Happen?
The story that brought the council off the bench started on April 18. KelpDAO, a liquid restaking protocol built on top of EigenLayer, lost 116,500 rsETH tokens in a single incident worth roughly $292 million at the time. The attacker drained the tokens by abusing the protocol’s cross-chain messaging layer, not its smart contract logic.
LayerZero, the interoperability provider underneath KelpDAO’s bridge, published a postmortem blaming a social engineering and infrastructure compromise. According to its account of the KelpDAO exploit, attackers poisoned two of the three RPC nodes KelpDAO had configured and hit the third with a denial of service flood. With two out of three nodes feeding a false message and the third knocked offline, the bridge treated the malicious instruction as valid and released the rsETH to the attacker.
What happened next is why this story is now an international one. LayerZero attributed the attack to the Lazarus Group, the North Korean state-sponsored crew that CISA and the FBI have been warning crypto companies about for years under the TraderTraitor banner. If that attribution holds, this is not a teenager in a basement. It is a nation state monetizing a restaking protocol’s bridge config.
The LayerZero and KelpDAO Blame Game
Within 48 hours of the hack, a very public argument broke out between LayerZero and KelpDAO over whose documentation was at fault. LayerZero pointed at KelpDAO’s node selection, arguing the configuration did not follow recommended security standards. KelpDAO responded that it had followed the documentation that was live at the time of deployment.
Neither side is wrong in a way that matters to the victim whose rsETH is gone. But the dispute captures a pattern the industry keeps repeating. Bridges sit at the center of nine-figure exploits, two or more parties share custody of the security model, and when things break, the postmortem turns into a paperwork fight about who was supposed to rotate which key.
This time, the paperwork fight is playing out while funds are actively being laundered.
- April 18, KelpDAO bridge drained of 116,500 rsETH worth about $292M
- April 19, LayerZero publishes incident statement pointing to RPC node compromise
- April 20, Public dispute between LayerZero and KelpDAO over configuration standards
- April 21, Arbitrum Security Council freezes 30,766 ETH and intermediary wallet receives the funds
On-Chain Data Shows the Attacker Already Moving Funds
The freeze caught a piece of the stolen balance. It did not catch all of it. On-chain trackers spotted the attacker’s main wallet sending $57.93 million and $117.48 million in separate transfers on Tuesday morning, hours before Arbitrum’s signers acted on their slice.
Blockchain investigator ZachXBT, who has a track record of unwinding Lazarus-linked flows, reported that the attackers have already begun laundering portions of the haul. His post flagged roughly $1.5 million moving from Ethereum into Bitcoin through Thorchain, plus another $78,000 routed through the Umbra privacy tool. Those numbers are small against a $292 million pot, but that is how Lazarus works. They peel off test runs, they watch to see what gets blocked, then they scale.
The race now is a familiar one. Every minute the attacker has access to Thorchain, mixers, and cross-chain swaps, the stolen Ethereum becomes harder to claw back. Every minute law enforcement spends waiting for a court order is a minute the balance gets thinner.
Is Arbitrum Still Decentralized After This?
This is the question that has crypto Twitter picking fights. Arbitrum’s ability to unilaterally freeze a user’s funds, even an alleged thief’s funds, cuts against the pitch that layer-2s inherit Ethereum’s credible neutrality. If a twelve-of-twelve council can take your ETH with a vote and a press release, the argument goes, you do not actually own your ETH on Arbitrum. You rent it.
The other side of the debate is less theoretical and more practical. The balance that got frozen was stolen. It was on its way to mixers. Waiting six months for a perfectly decentralized resolution would have meant waiting for nothing. The emergency powers exist because scenarios like this one exist.
Both reads are valid. Both can be true at once. What is hard to argue with is that the council’s charter was written exactly for days like today, and today it got used. Whether it gets used again next quarter, and next month, and the month after that, is where the decentralization story really gets decided.
Call it pragmatism, call it training wheels, call it what you want. The signers blinked first, and the attacker is down $71.5 million because of it.
What This Means for Liquid Restaking and Layer-2 Users
For holders of rsETH and every other liquid restaking token, the message is blunt. The risk surface is not just the smart contract you deposited into. It is every bridge, every oracle, and every RPC node between the chain your asset lives on and the chain your yield comes from. Lazarus did not break the restaking math. It broke the plumbing.
For users sitting on Arbitrum, the takeaway is more nuanced. The Security Council showing up in the defense column is, on balance, a good thing if you are a victim. It is a less comfortable thing if you are trying to argue that your rollup is as censorship-resistant as the chain underneath it.
And for protocol teams watching this unfold, the operational lesson is the one that keeps getting repeated. Bridge security is not a documentation problem. It is an incident-response problem. The team that has a freeze lever and a law-enforcement hotline on speed dial is the team that loses the least on the day the RPC nodes get owned.
Frequently Asked Questions
What is the Arbitrum Security Council?
The Arbitrum Security Council is an elected group of twelve signers with emergency powers over Arbitrum One and Arbitrum Nova. It can pause contracts, push emergency upgrades, and freeze specific addresses when a qualifying majority votes to act, typically during active security incidents.
How much was stolen in the KelpDAO exploit?
KelpDAO lost 116,500 rsETH tokens worth roughly $292 million on April 18. The attacker drained the funds by compromising two RPC nodes in KelpDAO’s LayerZero bridge setup and launching a denial of service attack against the third, forcing a false cross-chain message to settle.
Why is North Korea's Lazarus Group linked to the attack?
LayerZero attributed the KelpDAO exploit to the Lazarus Group based on infrastructure fingerprints and laundering patterns. CISA and the FBI track Lazarus under the TraderTraitor campaign, which has targeted crypto companies using social engineering, poisoned job offers, and compromised developer environments since 2022.
Can the frozen $71.5 million be returned to KelpDAO users?
Maybe, but not automatically. The 30,766 ETH now sits in an intermediary wallet that requires Arbitrum governance approval to move. Any return to KelpDAO depositors would need a governance vote, coordination with law enforcement, and likely a legal framework for distribution to verified victims.
This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.
30,766 ETH frozen but the exploit drained 292M total. where did the other 220M go, bridged through Tornado or still sitting cold? the council statement was light on that detail.
security council intervention on Arbitrum is exactly the centralization vector people warned about in 2022. freezing funds on law enforcement input sets a precedent that cuts both ways.
wen recovery for affected depositors
feels like the Poly Network situation in 2021 all over again. hacker eventually returned most of it after negotiations. betting KelpDAO tries the white hat bounty route next.
71.5M saved is nothing to sneeze at, rsETH holders needed this win after watching the TVL crater post exploit.